Skip to content

Update docker/setup-buildx-action action to v3 #978

Update docker/setup-buildx-action action to v3

Update docker/setup-buildx-action action to v3 #978

Workflow file for this run

name: semgrep
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
permissions:
pull-requests: write
jobs:
docker_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: d_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep && \
python3 -m pip install --upgrade urllib3 && \
mkdir /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-docker.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ &&\
echo "## Validation Issues Found (Docker) :whale: " >> /home/runner/reports/docker-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/docker-msg && \
echo "::set-output name=found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.d_scan.outputs.found-count != 0
uses: actions/github-script@v6
with:
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/docker-msg', 'utf8');
console.log('${{steps.d_scan.outputs.found-count}} errors found in docker/docker-compose files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in Dockerfiles or docker-compose files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/upload-artifact@v3.1.1
if: failure()
with:
name: semgrep-docker-report
path: /home/runner/reports/semgrep.out
python_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: py_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep && \
python3 -m pip install --upgrade urllib3 && \
mkdir -p /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-python.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ && \
echo "## Validation Issues Found (Python) :snake: " >> /home/runner/reports/python-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=python-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.py_scan.outputs.python-found-count > 0
uses: actions/github-script@v6
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/python-msg', 'utf8');
console.log('${{steps.py_scan.outputs.python-found-count}} errors found in python files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in Python files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/upload-artifact@v3.1.1
if: failure()
with:
name: semgrep-python-report
path: /home/runner/reports/semgrep.out
c_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: c_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep && \
python3 -m pip install --upgrade urllib3 && \
mkdir -p /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-c.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ && \
echo "## Validation Issues Found (c) :no_mouth: " >> /home/runner/reports/c-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=c-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.c_scan.outputs.c-found-count > 0
uses: actions/github-script@v6
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/c-msg', 'utf8');
console.log('${{steps.c_scan.outputs.c-found-count}} errors found in c files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in c files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/upload-artifact@v3.1.1
if: failure()
with:
name: semgrep-c-report
path: /home/runner/reports/semgrep.out
javascript_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: scan
id: javascript_scan
run: |
export DEBIAN_FRONTEND=noninteractive && \
echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \
sudo apt-get update && \
sudo apt install jq && \
python3 -m pip install --upgrade pip && \
python3 -m pip install semgrep && \
python3 -m pip install --upgrade urllib3 && \
mkdir -p /home/runner/reports/ && \
cd ${GITHUB_WORKSPACE}/ && \
semgrep --config=.github/workflows/config/semgrep-javascript.yml --json -o /home/runner/reports/semgrep.out \
--severity ERROR ./ && \
echo "## Validation Issues Found (javascript) :atom_symbol: " >> /home/runner/reports/javascript-msg && \
cat /home/runner/reports/semgrep.out | jq -r --arg ws "$GITHUB_WORKSPACE" --arg url "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/blob/$GITHUB_SHA" '.results[] | "**File:** [\(.path | sub($ws; "."; "g"))](\(.path | sub($ws; $url; "g"))#L\(.start.line)) \n**Line Number:** \(.start.line) \n**Statement(s):** \n``` \n\(.extra.lines) \n``` \n**Rule:** \n\(.extra.message)\n\n"' >> /home/runner/reports/python-msg && \
echo "::set-output name=javascript-found-count::$(cat /home/runner/reports/semgrep.out | jq '.results | length')"
- name: Fail if found
if: steps.javascript_scan.outputs.javascript-found-count > 0
uses: actions/github-script@v6
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
var msg = fs.readFileSync('/home/runner/reports/javascript-msg', 'utf8');
console.log('${{steps.javascript_scan.outputs.javascript-found-count}} errors found in javascript files');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: msg
});
core.setFailed('Semgrep found errors in javascript files. Please check the uploaded report');
- name: Upload scan reports
uses: actions/upload-artifact@v3.1.1
if: failure()
with:
name: semgrep-javascript-report
path: /home/runner/reports/semgrep.out